Building a User Management Application

Any application that is security critical will have some kind of method to track and maintain user activity. In this article we will begin to build a user management system that will give us control over who has access to which part of our application. This is the second part of a nine-part series.

Our user management system will include the following modules:

  • Login

  • Logout

  • User Registration

  • Account Activation

  • Password Management


These are the basis of all sites and applications that requires secure user management.

The structure

Our user information will be stored in a database called "user." This database contains a table called "users" which will actually hold the information. So how will this system work? Basically, the user will log into the system through the login page. This script will then check to see if the user exists in the database and authenticate accordingly. If the user exists, she will be sent to the home page. If not, the user will be informed of the outcome through an error message.

The second part of this system deals with user registration. Basically the registration process will take place if the user clicks on the register link. This link will only be available on certain pages of the system, such as the login page. The user will be required to fill in all the fields on the registration page, and if anything should go wrong, an error message will be displayed.

The third part of the system deals with the maintenance of the user’s password. It has two scripts. One deals with forgotten passwords and the other enables a user to change her password.

So all in all, the system is made up of the following scripts:

  • login.php – This script is responsible for authenticating a user by checking to see if the user exists in the database, and that the user’s account is active.

  • logout.php – This script ends a user session and returns the user to the login page.

  • register.php – This script registers new users to the system. It is through this registration process that the user will be granted login details that will enable them log into the user management system.

  • activate.php – This script activates a newly registered user account.

  • forgotten_password.php – The name of the script already tells you its purpose. It is responsible for generating a new password for a user, and then sending it to the user.

  • changepass.php – This script enables a logged-in user to change her password.

Other application wide scripts include:

  • user.css – This style sheet contains all of the styles that are used to give the user management system a uniform look and feel.

  • main.dwt.php – This is the template that underpins all of the pages and scripts of the site.

  • global.php – Contains the database connection information.

  • func.inc – Contains helper functions for the system scripts.

{mospagebreak title=The database}

I chose to use a database over a file-based storage system because of the security it offers. A file can basically be opened and read by anyone who manages to access your root. Information about a database is a bit harder to come by.

For our system I’ve created a database called "user" that contains a table called "users." This table has six fields, each of which takes a different kind of information about a user. Below is a list of fields that are available in the table:


  • uid – This field creates a unique user id for each new user.

  • uname – This field stores the user name.

  • upass – This field stores a forty-character-long password for the user.

  • Level – This field stores the user’s access level.

  • Email - This field stores the user’s email address.

  • Active – This field stores information about the state of the user’s account activation.


Below is the SQL code for the database and table, as well as sample data. Simply copy and paste it into your MYSQL client:


# Database : `user`

#

# ——————————————————–

#

# Table structure for table `users`

#


CREATE TABLE `users` (

`uid` int(4) NOT NULL auto_increment,

`uname` char(50) default NULL,

`upass` char(40) default NULL,

`level` char(8) NOT NULL,

`email` char(50) NOT NULL,

`active` char(32) default NULL,

PRIMARY KEY (`uid`)

) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;


#

# Dumping data for table `users`

#


INSERT INTO `users` VALUES (1, ‘david’, ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684′, ‘admin’, ‘david@dweb.com’, ‘1’);

INSERT INTO `users` VALUES (2, ‘joe’, ‘1390470c09daf4c6179c197e6aebe9821c9ca92d’, ‘normal’, ‘joe@smith.com’, ‘0’);

INSERT INTO `users` VALUES (3, ‘jack’, ‘monday’, ‘normal’, ‘jack@smith.com’, ‘0’);

To give extra protection to our user management system, I’ve included certain restrictions on the fields of the table. For example, the password can have up to forty characters, the username up to fifty, etc. Also, to make the retrieval of data faster, I’ve optimized the fields by, for example, using the char type instead of the varchar type (the latter is slower):


`uname` char(50) default NULL,

`upass` char(40) default NULL,

`level` char(8) NOT NULL,

`email` char(50) NOT NULL,

`active` char(32) default NULL,


{mospagebreak title=Templates}

The template, as mentioned earlier, gives the entire application a unified look and feel. Below is the code for it:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– TemplateBeginEditable name="doctitle" –>

<title>Untitled Document</title>

<!– TemplateEndEditable –>

<!– TemplateBeginEditable name="head" –>

<!– TemplateEndEditable –>

<link href="../user.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="100%" border="0">

<tr>

<td colspan="2">&nbsp;</td>

</tr>

<tr>

<td colspan="2" valign="top" class="header">User Management </td>

</tr>

<tr>

<td width="65%" valign="top"><!– TemplateBeginEditable name="Main" –>Main<!– TemplateEndEditable –></td>

<td width="35%" valign="top"><!– TemplateBeginEditable name="Nav" –>Nav<!– TemplateEndEditable –></td>

</tr>

<tr>

<td colspan="2" class="copy">&copy;2008</td>

</tr>

</table>

</body>

</html>


The template provides two editable regions. One is called "main;" it provides the main area in which the scripts are executed.

<td width="65%" valign="top"><!– TemplateBeginEditable name="Main" –>Main<!– TemplateEndEditable –></td>


The other is called "nav;" it provides a space for the navigation code:


<td width="35%" valign="top"><!– TemplateBeginEditable name="Nav" –>Nav<!– TemplateEndEditable –></td>


The rest of the template is not editable. This provides a good way of separating the HTML from the PHP code.

{mospagebreak title=Style Sheet}

The style sheet does the job of providing a style for each element on the HTML page. Below are the styles that are defined:


body {

font-family: Verdana;

}


.header{

border:1px dotted #FF9933;

font-size:14px;

font-weight:bold;

color:#000000;

background-color:#FFCC99;}

.copy{

text-align:right;

font-size:9px;}


.welcomeheader{


color:#FFCC99;

font-size:18px;

font-weight:bold;}


/*Navstyles*/

.bord{

border:1px dashed #FF9900;

background-color:#FFCC99;}

.txt{

color:#666666;}


/*form styles*/

.error{

color:#FF0000;

font-weight:bold;}


.lbl{

font-weight:bold;}

.bordr{

border:2px solid #000000}


The first class that is defined is the header class. This class formats the header sections of the HTML code, by dictating its color, border, size and weight, etc:


.header{

border:1px dotted #FF9933;

font-size:14px;

font-weight:bold;

color:#000000;

background-color:#FFCC99;}


The result of which looks something like this:



The above header will be visible on every single page of the system. The second style that is defined formats the copyright information for the application:


.copy{

text-align:right;

font-size:9px;}

It is very short and only has two styles. It aligns the text to the right and reduces the size to nine pixels.

This is what it looks like:


The last class that is defined for the main section of the template is the welcome header class. It dictates the color, size and weight of the class:


.welcomeheader{


color:#FFCC99;

font-size:18px;

font-weight:bold;}


The result of the above code looks something like this:


The next part of the code deals with the application’s navigation styles. There are two styles defined. One sets the border styles, while the other sets the text styles for the navigation text:


/*Navstyles*/

.bord{

border:1px dashed #FF9900;

background-color:#FFCC99;}

.txt{

color:#666666;}



The final section deals with the form elements. It also has two sections. The first one sets out the styles that should be applied to the error messages that will appear on the form, while the second dictates what styles should be used for the labels on the form:


/*form styles*/

.error{

color:#FF0000;

font-weight:bold;}


.lbl{

font-weight:bold;}

.bordr{

border:2px solid #000000}

In the next article we will continue to discuss the application wide scripts that we started to talk about here. See you next week!

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye